After logging into the administration interface of your site, go to
the Config section and click Make a new config setting. In the
dialog box, enter mod_admin_identity for Module, password_regex for Key and
your password rule regular expression for Value.

After saving, your password complexity rule will now be enforced on
all future password changes.

When you migrate a legacy system to Zotonic, you might not want your
users to re-enter their password before they can log in again.

By implementing the identity_password_match notification, you can
have your legacy passwords stored in a custom hashed format, and
notify the system that it needs to re-hash the password to the
Zotonic-native format. The notification has the following fields:

-record(identity_password_match, {rsc_id, password, hash}).

Your migration script might have set the username_pw identity with
a marker tuple which contains a password in MD5 format:

Now, in Zotonic when you want users to log on using this MD5 stored
password, you implement identity_password_match and do the md5
check like this:

observe_identity_password_match(#identity_password_match{password=Password,hash={hash,md5,Hash}},_Context)->casebinary_to_list(erlang:md5(Password))=:=z_utils:hex_decode(Hash)oftrue->{ok,rehash};false->{error,password}end;observe_identity_password_match(#identity_password_match{},_Context)->undefined.%% fall through

This checks the password against the old MD5 format. The {ok,rehash} return value indicates that the user’s password hash will be
updated by Zotonic, and as such, this method is only called once per
user, as the next time the password is stored using Zotonic’s internal
hashing scheme.